Appropriate quoting (I hope) follows. The chief concern with DDOS attacks is, as Mr. Rulu points out, that it is not feasible to protect the entire net. Morover, he is correct that the solution he proposes would bring with it severe DOS and even new DDOS opportunities, strong authentication notwithstanding. Of course, the issues of international legal enforcement, liability, etc are glossed over or ignored. In short, adopting a massive Panic Button system, as suggested, would probably open more holes than it would close, and many of the recommended remedies (fire alarm penalties, for instance) would be difficult or impossible to enforce in many circumstances. The secret, I think, to limiting vulnerability to these sorts of attacks, and limiting exposure, is to cause _someone_ (it doesn't particularly matter who) to internalize the external costs of protection. That is, since (say) the University of California at Santa Barbara has less (theoretical) personal stake in detecting DDOS agents on compromised clients, they will expend no effort to do so. If they fully internalized the costs of the damage, however (if CNN could, for instance, reliably collect the entire potential damages due to loss of service), they would have a greater incentive. The solution, then, becomes primarily technical- a reliable, trustworthy means of identifying the author of a certain packet would need to be obtained, so that packets could not be spoofed. It should be remembered, too, that legal sanction against (for instance) ISPs will be difficult to enforce in practice. My computer doesn't much care, or notice, if it is being flooded by Rwandan networks or Australian- service is just as denied either way. Legal sanctions against foreign ISPs, however, are very difficult to enforce. Sanctions would have to transcend law and political boundaries meaning network wide isolation of offensive networks, not liability assessments. --Matt On Fri, 11 Feb 2000, Dragos Ruiu wrote: > The problem with DDOS: > > - It is infeasible to secure the entire net. <DELETIA> > As this is an industry wide issue, it is doubtful a single source commercial > antidote to all the potential DDOS problems can be found with a single > countermeasure. So I propose a collaboration between service providers - > an Anti-ddos ISP Coalition to remedy the problem. <DELETIA> > . . . There are numerous inherent DoS > opportunities in such a system so great care needs to be taken care beween > Defenders to use strong authentication. In addition, guidelines should be > drafted so no draconian penalties are imposed on clients that have potentially > spurious complaints filed against them. I would suggest that no action be > taken until mutliple complaints are filed, and then some sort of attack > verification process with the victim be used before attack relays are > notified/penalized. Systems that are repeatedly/consistently used as attackers > could be filtered/disabled/penalized until approriate security improvements are > demonstrated to their ISP - thus providing the motivation for the attack relays > to care about the damage they are doing and to spend the effort on better > security. > > -To stop this system from being used as a DoS itself, I would propose that > some sort of fine or other financial penalty be imposed for false or improper > complaints being filed (like the fines for pulling a fire alarm).
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:34:45 PDT